Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

“Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools,” according to the report. “App developers share data with Facebook through the Facebook Software Development Kit (SDK).”

Privacy International examined 34 Android apps, each with an install base from 10 to 500 million, and found they transmitted data through the SDK to Facebook. Data shared with Facebook varies by app. Kayak, for example, sends Facebook all search data conducted through its app, according to researchers. A King James Bible app shared the passage and verse viewed by the app user.

Researchers said the majority of apps share data such as the fact the app is used, when the app is opened and closed, the Android device being used and the user’s inferred location based on language and time zone settings, according to researchers.

Part of the sensitive data shared with Facebook is the use of the app itself. For example, apps sharing data include a women’s period tracker, prayer apps, job search apps and apps appropriate for young children. Other data found shared by apps via the Facebook SDK is something called “user ratings”, session IDs and additional data variables.

Facebook, Privacy International points out, is just one of hundreds of so-called tracking companies that collect data that is used by online marketing firms that cull user information together to create massive digital dossiers on users. Facebook is the second largest of such tracking companies on the internet after Google.

“The reason we focused on Facebook, and not Google or any of the other tracking companies, is because the very fact that apps – like a period tracker or an LED flashlight [app] – share data with Facebook will come as a surprise to many people. And, especially for those who have made a conscious decision not to be on Facebook,” said Frederike Kaltheuner, researcher with Privacy International, during her talk on Saturday.

Key findings in Privacy Internationals examination of the 34 apps include 61 percent of apps tested automatically transfer data to Facebook the moment a user opens the app. Some apps routinely send Facebook data that is incredibly detailed and sometimes sensitive of people who are either logged out of Facebook or who do not have a Facebook account.

“Obviously we only focused on the data that apps transmits. However, what we can’t say is definitively how the data is being used,” Kaltheuner said.

Christopher Weatherhead, a Privacy International researcher, said the focus of its research wasn’t to blame app developers. “We’re not here to criticize developers for the way they make their apps. This is all about SDK and the way it transmits data with or without user consent,” he said.

The Facebook SDK for Android serves many purposes. It allows app developers to integrate their apps with Facebook’s platform. It also contains a number of helpful components to app developers, such as user analytics, the ability to display ads and allows a user to login to a service with their Facebook ID.

When Privacy International asked Facebook about the use of its SDK, the social network pointed out that developers were responsible for configuring the apps to share or not share data.

“Facebook places a legal and contractual obligation on the developer who they see as the data controller to get the consent that it is required from users before sharing data with Facebook by the SDK,” Kaltheuner said.

When Threatpost asked for comment on this report a spokesperson responded with a statement:

“Facebook’s SDK tool means that developers can choose to collect app events automatically, to not collect them at all, or to delay collecting them until consent is obtained, depending on their particular circumstances. We also require developers to ensure they have an appropriate legal basis to collect and process users’ information. Finally, we provide guidance to developers on how to comply with our requirements in this regard.”

But, Facebook acknowledged to Privacy International that most developers used the SDK’s default settings, which is to share the data the second an app is launched. That behavior has raised hackles among developers starting in May when they were forced to comply with the new General Data Protection Regulation law that require explicit and unambiguous permission before collecting user data.

In response, Facebook released a new feature in its SDK in June that delays what it calls “automatic event logging” which gives developers more flexibility to turn off the feature or request user permission to collect data. However, even with the changes Facebook made the SDK continues to send a signal that the SDK has been initialized when individual apps are opened – even if the SDK data sharing is turned off.

“The signal that the SDK has been initialized, that’s data that that gives [Facebook] a strong indication what kind of apps somebody uses and when they’re using it – all combined with a user ID,” Kaltheuner said. Whether this data collection is compliant with GDPR and other privacy laws is an open question, according to Privacy International.

Privacy International is advocating for further changes by Facebook and a heightened awareness among developers to transmit the least amount of data needed and give people more choices in what data is collected from them.

“The question [for developers] is, do you really need to integrate the SDK, and if you integrate, can you do it selectively,” Kaltheuner said. “You shouldn’t assume that the default implementation is compliance. And, whenever you do implemented it be very fair and transparent to users about how exactly you’re collecting data.”

“Some, we had the impression didn’t fully understand the SDK and what the SDK does. Others had a very different interpretation of what they should do legally. Others didn’t really didn’t realize that this is happening and promised to update their app,” Kaltheuner said.

Two apps when notified – Skyscanner and IBM’s The Weather Channel – agreed to make immediate changes to their use of the Facebook SDK.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.